2) after token got extension link user can use other tokens extension period to the current token, so user end no need to re import token in to their phones.

3) is user need to buy new tokens?

For example user have 10 tokens in their AM server which is upgraded from 8.1 Px to 8.2 SP1 P1.

all 10 tokens expiring soon, not other tokens available to replace them.

can any one explain from here how user will get token extension after they redistribute.

as per my understanding,

They still need to buy new tokens and import it in to RSA AM server and then when extending tokens we can sue new token serial number to extend the expiry date of existing token then new token will be deleted from RSA AM server, kindly coreect me if I am wrong.

When a software token is distributed from an 8.2 or higher version, it gets a value hidden in the database called terminate date. The creates a checkmark on the security console that the token is 'extendable'.

As long as the token remains assigned to a user, the terminate date remains.

The user gets the token, and it will never expire on the user side. It will just stop working for authentication on the actual expire date. If you buy new software tokens, you can go to these soon to expire tokens and extend them, with a new token, where the

a) new token gets deleted

b) the old token gets extended by 'inheriting the new token expire date'

This way the end user never needs to reinstall the token on their device, the admins can keep pushing out the expire dates.

NOTE: when I say 'never expire' it does eventually expire. The terminate date today is in 2035. So, until the terminate date, tokens can be extended multiple times.

When a software token is distributed from an 8.2 or higher version, it gets a value hidden in the database called terminate date. The creates a checkmark on the security console that the token is 'extendable'.

As long as the token remains assigned to a user, the terminate date remains.

The user gets the token, and it will never expire on the user side. It will just stop working for authentication on the actual expire date. If you buy new software tokens, you can go to these soon to expire tokens and extend them, with a new token, where the

a) new token gets deleted

b) the old token gets extended by 'inheriting the new token expire date'

This way the end user never needs to reinstall the token on their device, the admins can keep pushing out the expire dates.

NOTE: when I say 'never expire' it does eventually expire. The terminate date today is in 2035. So, until the terminate date, tokens can be extended multiple times.

1) User should by new tokens before expired the old tokens, Am I right? if yes how many days before need to buy new tokens and import in to AM, if user import new software tokens after old token expired still user can extend as you said above?

I don't know the sales cycle and how long it takes from buying software tokens to getting them in your hands. By default the system will allow you to extend tokens 15 days or lower from when tokens expire. You can run a command line action to extend this date so you can extend tokens way before the 15 day limit. In reality you can extend tokens a day before, or the same day, or after they expire, as it happens quickly and the end user needs to do nothing.

Can you extend a 'dead expired token' and make it active again ? Yes.

Here is an extremely old token, showing extendable (it was distributed from 8.2, therefore has a terminate date).